Home page logo
/

basics logo Security Basics mailing list archives

Re: Frequent offenders list
From: "Johannes Ullrich" <jullrich () euclidian com>
Date: Tue, 26 Nov 2002 07:16:13 -0500

Thanks to everyone who responded... the verdict is definitely dshield. I
was considering making it standard practice to block these addresses at
my firewall and update on a weekly basis.  I'm interested in what others
think about this - recommended/valuable or not?  So far I haven't seen
that the list of addresses at dshield match any of those that are
portscanning us but I figured it couldn't hurt.

Vinod Yegneswaran, a student at the Univ. of Wisconsin, just wrote a
paper looking into this question:
http://www.dshield.org/WisconsinDShieldPaper.pdf

If you intent to use the list for blocking, I recommend our 
official block list. See http://www.dshield.org/block_list_info.html
for more details.

The '100 targets' list was setup after people asked for a more
extensive blocklist. So you can give it a try and see how it works
for you. 

Using a list based on correlated data from a large user group makes
spoofing harder but not impossible. While the block list is regularly
reviewed for 'sane-ness', the '100 targets' list is too large to
do the same.

Usually, I am discouraging the use of the top 10 list, as it is too
limited. 

Another note: While the data feeds from DShield are free to use, we
hope you find them useful enough to contribute to the system by 
sending your own logs.


-- 
--------------------------------------------------------------------
jullrich () euclidian com             Collaborative Intrusion Detection
                                         join http://www.dshield.org

Attachment: _bin
Description:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]